Documents Leaked Following U.S. Police Union Hack

Hundreds of documents stolen from the systems of the Fraternal Order of Police (FOP) were leaked online last week, and the individual who made them available claimed to be in possession of much more information.

According to its official website, the FOP is the largest police union in the United States, representing more than 325,000 sworn law enforcement officers organized in 2,100 local chapters.

The hacker or hackers who breached the organization’s systems allegedly provided 18TB of data taken from the FOP to UK-based researcher and activist Thomas White, who uses the online moniker “CthulhuSec.” White, who claimed the data was provided to him by an anonymous source, said he has to conduct some research before releasing more of the files in his possession.

In a statement posted on Facebook, FOP President Chuck Canterbury said the documents leaked so far are just bargaining contracts that have already been publicly available on the Web. However, he has confirmed that the attacker appears to have gained access to all of the organization’s records, which has resulted in the official FOP website being shut down.

“Our professional computer experts have identified how the hackers made access but that information cannot be distributed at this time for obvious reasons. Suffice it to say that the level of sophistication was very high,” Canterbury said.

Canterbury blamed the attack, which allegedly originated from outside the US, on Anonymous hacktivists. Some reports also claimed the attack involved the use of a zero-day vulnerability.

In response to Canterbury’s statement, White said the attack was not conducted by Anonymous or a sympathiser of the movement, and pointed out that hacktivists only retweeted the files he initially released.

Furthermore, White denied that a zero-day exploit was used to breach FOP’s systems and noted that it was not a sophisticated attack.

“From what I know of how the attacker conducted it, you should be ashamed of how trivial it was that your servers were rooted. If your ‘computer experts’ have identified the flaw as you claim to have, you should realise you are either lying or have not hired experts if they call it sophisticated,” White said.

Experts who discussed the incident on Hacker News pointed out the existence of serious vulnerabilities on FOP’s website that could have been exploited to access sensitive information. They also found that the donations section on the police union’s website uses HTTP when transmitting payment card data.

White, who allegedly received death threats due to leaking the data, said he is not “anti-police” and advised against using the information to attack law enforcement. He claims that the purpose of the leak is to have corruption and other wrongdoing exposed.

As security researcher Scott Arciszewski pointed out, authorities in the United States could charge White under the Computer Fraud and Abuse Act (CFAA), a controversial piece of legislation that has been used to prosecute many hackers over the past years. However, White says he is not concerned because he is in the United Kingdom and his legal advisors are confident that he hasn’t broken any laws.

Authorities in the United States have reportedly launched an investigation into the matter. White says he is prepared to answer any questions and is even willing to meet in person, but only in the United Kingdom.

Eduard Kovacs is an international correspondent for SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.